Phishing is one of the trendiest information security related buzzwords, so what is it ?
Well, basically phishing can be explained as tricking a user to believe they are at a certain web-site when they're really at a bogus site or sending a forged email causing the user to believe the same.
The purpose of phishing can be summed up as an illegitimate technique to steal confidential information such as login credentials, passwords, passcodes, personal details, etc.
Phishing is just another spin on social engineering, think about it...
The way's phishing attacks are carried out are numerous and so we will only cover some of them, please remember this is not intended to be a tutorial so specific tools and methods are not provided here.
Web site phishing attacks can be integrated with forged phishing emails, the from address can be faked to appear from the legitimate web site such as bank, boss, etc.. and can request the user to perform certain actions such as change the password using the provided link, login, contact someone,
if contacted then... and more.
A lot of these emails also mask the link "in plain sight" by bluffing the user showing a bogus address which forwards to an IP address; e.g. user see's www.google.com
but if they click on the link they will reach www.kalman.co.il
; this is done using simple mail and HTML manipulation methods.
Other methods include forwarding similarly named domain names to the bogus site, e.g. www.googel.com
, hacking into DNS server's, hacking the computers hosts file (a file which acts as the operating systems simple own DNS server) and of course - malware.
Malware (which includes spyware, grayware, etc...) may gather information on the user including passwords, etc..
And may forge web sites - since most users are local administrators of their pc's they don't usually restrict the software or know how to be cautious.
What to do
- well, it's difficult to be protected unless you're an IT professional as no software product will provide you with 100 % protection or even 90 %.
The best option is - as in most topics in information security - have layered security which should include:
Anti virus, updated operating system, Firefox (more secure then some of the other browsers available in the market), and of course - know your enemy!
When in doubt - don't trust! Why would your system administrator ask you to help him troubleshoot a network issue ?! That's why he has his own staff!!
If he needs your password - either meet face-to-face or just ask him to reset it, use it and when done let you change it to something you want.
Google, Yahoo, eBay, Amazon will NEVER ask you to provide them your password, trust me.
Got an email you're not sure about ?! Forward it to the company using email/fax (just make sure you didn't get the email/fax via the email you're checking).
Browsing to a website via a link in the email ?! Check the browser address bar and make sure the address belongs to the site you want to visit - again, when in doubt... STOP! VERIFY!